Multilevel Early Packet Filtering Technique Based on Traffic Statistics and Splay Trees for Firewall Performance Improvement

This paper presents a mechanism to improve firewall packet filtering time through optimizing the order of security policy filtering fields for early packet rejection. The proposed mechanism is based on the optimization of the filtering fields order according to traffic statistics. Furthermore, the mechanism uses multilevel packet filtering, and in each level unwanted packets are rejected as early as possible. So, the proposed mechanism can be considered also as a device protection mechanism against Denial of Service (DoS) attacks targeting the default policy rule. In addition, early packet acceptance is done through using the splay tree data structure which changes dynamically according to traffic flows.